This year Admiral Mike Rogers, the current Commander, U.S. Cyber Command and Director, National Security Agency/Chief, Central Security Service, gave the luncheon keynote address at the U.S. Chamber of Commerce’s Third Annual Cybersecurity Summit, “Sharing Cyber Threat Information to Protect Business and America.” You can find it at: http://www.c-span.org/video/?322382-4/admiral-mike-rogers-cyber-security.
I was intrigued and happy to hear him indicate that the NSA has “no interest in, and in fact doesn’t want any, privacy information” when sharing data among all interested parties to mitigate cybersecurity threats. “In fact it slows me down!” he said around the 50-minute mark.
However, the big problem is that “privacy information” is widely subjective, and what the Admiral may not consider to be “privacy information” may be something I would forcefully argue was indeed privacy-related information. Lack of understanding of privacy, and understanding of the data that impacts privacy, is what creates many of our current privacy problems throughout private and public industries.
So, what is “privacy information”? Like “personal information,” there is no universal definition for it. In fact, it seems many use it interchangeably with “personal information;” however, the two terms most certainly are not synonymous. Most I have talked to agree that “privacy information” is information that can impact individual privacy by providing insights into the lives of individuals in some manner. What is *not* commonly agreed upon are the specific types of information that can impact privacy.
It would be very revealing to determine what Admiral Mike Rogers in particular, and the NSA more broadly, considers to be “privacy information.” From recent published accounts they’ve indicated that such things as metadata, GPS data and IP addresses are not typically considered to be “privacy information,” but of course we know that such information can reveal significant insights into individuals’ lives, and increasingly so with new Big Data analytics capabilities.
When your organization addresses privacy risks, does it consider which information items are to be protected as personal information (PI)? Does it also have a wider set of information that it considers to be “privacy information,” often also referred to as “sensitive personal data”? Does it determine risk based upon the context within which PI, as well as “privacy information,” is collected, used, shared, stored, accessed, retained and disposed of?
When considering the information items your organization collects, derives, stores, processes, and otherwise accesses, it is important to make sure you have taken the following actions:
1) The first step is to determine the information items considered to be PI. You can start by looking at those that are explicitly defined within all the laws, regulations, standards, policies, contracts and any other legal commitments with which your organization must comply. Then add to this list any other information items that on their own could point to a specific individual.
2) The next step that currently is overlooked by many organizations is determining the other types of information that, when considered on their own out of business context aren’t necessarily privacy-impacting (e.g., gender, age, etc.), but when considered with PI items, and within certain situations and contexts, do impact privacy. These will be your “privacy information” items.
This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit TechPageOne (http://techpageone.dell.com/). Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.
Tags: Admiral Rogers, Dell, Information Security, information security risks, infosec, NSA, personal information, policies, privacy, privacy information, privacy professor, privacy risks, privacyprof, procedures, Rebecca Herold, risks, sensitive information, sensitive personal data, training